before the
Subcommittee on the Constitution of the House Judiciary Committee

April 6, 2000

Mr. Chairman and Subcommittee Members, thank you for calling this hearing and affording CDT the opportunity to testify about Fourth Amendment protections in cyberspace. Our nation is at a point where revolutionary changes in communications and computer technology have outpaced the privacy protections in our laws. Far more information than ever before is available to the government under minimal or inadequate legal standards. It is time for Congress to strengthen the privacy laws to restore a balance between government surveillance and personal privacy, to build user trust and confidence in these economically vital new media, and to afford both law enforcement agencies and online service providers the clear guidance they deserve.

The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values on the Internet. Our core goals include ensuring that the Constitution's protections extend to the Internet and other digital information technologies. CDT also coordinates the Digital Privacy and Security Working Group (DPSWG), a forum for more than 50 computer, communications, and public interest organizations, companies and associations working on information privacy and security issues.

The Internet is a wonderfully transformative medium. Consequently, it has become a necessity in most workplaces and a fixture in most schools and libraries. According to a December 1999 Harris poll, 56% of American adults are online, 6 times higher than 4 years ago. But as more and more of our lives are conducted online and more and more personal information is transmitted and stored electronically, the result has been a massive increase in the amount of sensitive data available to government investigators.

While the Justice Department frequently emphasizes the ways in which digital technologies pose new challenges to law enforcement, the fact is that, on balance, the digital revolution has been a boon to government surveillance and collection of information. The FBI estimates that over the next decade, given planned improvements in the digital collection and analysis of communications, the number of wiretaps will increase 300 per cent. Computer files are a rich source of evidence: in a single case last year, the FBI seized enough computer evidence to nearly fill the Library of Congress twice. As most people sense with growing unease, everywhere we go on the Internet we leave digital fingerprints, which can be tracked by marketers and government agencies alike. The FBI in its budget request for FY 2001 seeks additional funds to "data mine" these public and private sources of digital information for their intelligence value. Yet the computer and communications privacy laws were last updated in 1986.

Recently, following a series of hacker attacks on e-commerce web sites, the Justice Department has proposed changes to the electronic surveillance laws to enhance law enforcement authorities. (In fact, the changes are not directly responsive to the recent attacks, but have been on the Justice Department's agenda for some time.) But surely, before enacting any enhancements to government power, we should ensure that current laws adequately protect privacy. As I will explain, the standards for government access to information are not high enough to protect the privacy of ordinary citizens. We must tighten the standards for government surveillance and access to information. CDT is prepared to work with the Congress and the Justice Department to flesh out the needed privacy enhancements, and to convene DPSWG as a forum for building consensus.

Background: Fourth Amendment Privacy Principles

To understand how far current privacy protections diverge from the principles of the Constitution, we should start with the protections accorded by the Fourth Amendment. If the government wants access to your papers or effects in your home or office, it has to meet a high standard:

The government must obtain a warrant from a judge based on a showing of probable cause to believe that a crime has been, is being or is about to be committed and that the search will uncover evidence of the crime. The warrant must "particularly" describe the place to be searched and the things to be seized.

The government must provide you with contemporaneous notice of the search and an inventory of items taken. Richards v. Wisconsin, 520 U.S. 385 (1997); Wilson v. Arkansas, 514 U.S. 927 (1995). The notice and inventory requirements provide protections that are crucial notwithstanding the existence of a judicial warrant. In the case where police have come to the wrong address, you can try to point that out to them and they may withdraw. If you are the subject of a lawful search, you can observe the police to ensure that they confine their search to the scope of the warrant. In the case of a prolonged search, you can even rush to the courthouse and ask a judge to stop or narrow the search. And the inventory allows you to seek return of your property and tells you what information is in the hands of the government, so that you can respond and defend yourself against the government's suspicions or allegations.

These rules apply in the computer age, so long as you keep information stored on your hard drive or disks in your home or office.

The Supreme Court held in 1967 that wiretapping is a search and seizure and that telephone conversations are entitled to protection under the Fourth Amendment. Katz v. United States, 389 U.S. 347 (1967), Berger v. New York, 388 U.S. 41 (1967). Congress responded by adopting Title III of the Omnibus Crime Control and Safe Streets Act of 1968, requiring a court order based on a finding of probable cause to intercept wire or oral (i.e., face-to-face) communications. 18 U.S.C. §2510 et seq. However, Congress did not require the contemporaneous notice normally accorded at the time of a search and seizure. This was a fateful decision, but, the government argued, to give contemporaneous notice would defeat the effectiveness of the surveillance technique. In part to make up for the absence of notice, and recognizing the other uniquely intrusive aspects of wiretapping, Congress added to Title III requirements that go beyond the protections of the Fourth Amendment. These additional protections included: permitting the use wiretaps only for investigations of a short list of very serious crimes; requiring high level Justice Department approval before court authorization can be sought; requiring law enforcement agencies to exhaust other, less intrusive techniques before turning to eavesdropping; directing them to minimize the interception of innocent conversations; providing for periodic judicial oversight of the progress of a wiretap; establishing a statutory suppression rule; and requiring detailed annual reports to be published on the number and nature of wiretaps.

Over time, though, many of these additional protections have been substantially watered down. The list of crimes has been expanded, from the initial 26 to nearly 100 today and more are added every Congress. Minimization is rarely enforced by the courts. The exhaustion requirement has been weakened. Evidence is rarely excluded for violations of the statute. Almost every year, the number of wiretaps goes up - 12% in 1998 alone. Judicial denials are rare - only 3 in the last 10 years. The average duration of wiretaps has doubled since 1988. So even in the world of plain old telephone service we have seen an erosion of privacy protections. The fragility of these standards is even more disconcerting when paired with the FBI's "Digital Storm" plans for digital collection, voice recognition and key word searching, which will reduce if not eliminate the practical constraints that have up to now limited the volume of information that the government can intercept.

After it ruled that there was an expectation of privacy in communications, the Supreme Court took a step that had serious adverse consequences for privacy: It held that personal information given to a third party loses its Fourth Amendment protection. This rule was stated first in a case involving bank records, United States v. Miller, 425 U.S. 435 (1976), but it is wide-ranging and now serves as the basis for government access to all of the records that together constitute a profile of our lives, both online and offline: credit, medical, purchasing, travel, car rental, etc. In the absence of a specific statute, these records are available to law enforcement for the asking and can be compelled with a mere subpoena issued without meaningful judicial control. The implications of this "third party record" rule are seen most recently in the Administration's proposed Cyberspace Electronic Security Act (CESA), which would allow the government to obtain encryption "keys" or other decryption information from third parties under a court order procedure that would provide neither the probable cause nor the notice protections of the Fourth Amendment.

In 1979, a third piece of the privacy scheme was put in place when the Supreme Court held that there is no constitutionally-protected privacy interest in the numbers one dials to initiate a telephone call, data collected under a device known as a pen register. Smith v. Maryland, 442 U.S. 735, 742 (1979). While the Court was careful to limit the scope of its decision, and emphasized subsequently that pen registers collect only a very narrow range of information, the view has grown up that transactional data concerning communications is not constitutionally protected. Yet, in an increasingly connected world, a recording of every telephone number dialed and the source of every call received can provide a very complete picture ­ a profile ­ of a person's associations, habits, contacts, interests and activities. (Extending this to email and other electronic communications can, as I explain below, be even more revealing.)

In 1986, as cellular telephones service became available and email and other computer-to-computer communications were developing, Congress recognized that the privacy law was woefully out of date. Title III anachronistically protected only wire and voice communications: it did not clearly cover wireless phone conversations or email. In response, Congress adopted the Electronic Communications Privacy Act of 1986 (ECPA). ECPA did several things: it made it clear that wireless voice communications were covered to the same degree as wireline voice communications. It extended some but not all of Title III's privacy protections to electronic communications intercepted in real-time.

ECPA also set standards for access to stored email and other electronic communications and transactional records (subscriber identifying information, logs, toll records). 18 USC § 2701 et seq. And it adopted the pen register and trap and trace statute, 18 USC § 3121 et seq., governing real-time interception of "the numbers dialed or otherwise transmitted on a telephone line." (A pen register collects the "electronic or other impulses" that identify "the numbers dialed" for outgoing calls and a trap and trace device collects "the originating number" for incoming calls.) To obtain such an order, the government need merely certify that "the information likely to be obtained is relevant to an ongoing criminal investigation." 18 USC §§ 3122-23. (There is no constitutional or statutory threshold for opening a criminal investigation.) The law states that the judge "shall" approve any request signed by a prosecutor.

ECPA did not, however, extend full Title III protections to email sitting on the server of an ISP. Instead, it set up a two-tiered rule: email in "electronic storage" with a service provider for 180 days or less may be obtained only pursuant to a search warrant, which requires a finding of probable cause, but the additional protections of Title III -- limited number of crimes, high level approval, judicial supervision -- do not apply. Email in storage for more than 180 days may be obtained with a warrant or a mere subpoena. In no case is the user entitled to contemporaneous notice. The email portions of ECPA also do not include a statutory suppression rule for government violations and do not allow for public or congressional oversight through annual reports.

Mapping the Fourth Amendment Onto Cyberspace

Remarkably, ECPA was the last significant update to the privacy standards of the electronic surveillance laws. Astonishing and unanticipated changes have occurred since then:

the development of the Internet and the World Wide Web as mass media;

the convergence of voice, data, video, and fax over wire, cable and wireless systems;

the proliferation of service providers in a decentralized, competitive communications market;

the movement of information out of people's homes or offices and onto networks controlled by third parties;

the increasing power of hand-held computers and other mobile devices that access the Internet and data stored on networks.

As a result of these changes, personal data is moving out of the desk drawer and off of the desktop computer and out onto the Internet. Does this mean that information is being stored more and more in configurations not protected by the Fourth Amendment? The government argues that this is a choice people make ­ you can keep the data on your own server and you can stay off the Internet if you care about privacy. But isn't this a little like arguing that you lose your privacy rights when you choose to communicate using the services of a telephone company, and if you want to preserve your privacy you should visit the person and have a face-to-face conversation? To say that people are choosing to let go of their data and stop there would leave the Fourth Amendment protections available in the home when increasingly information is not stored there anymore. Rather, it is necessary to adopt legislative protections that map Fourth Amendment principles onto the new technology.

It is clear that the surveillance laws' protections are too weak:

The standard for pen registers is minimal - judges must rubber stamp any application presented to them.

Many of the protections in the wiretap law, including the special approval requirements and the statutory rule against use of illegally obtained evidence, do not apply to email and other Internet communications.

Data stored on networks is not afforded full privacy protection.

ISP customers are not entitled to notice when personal information is subpoenaed in civil lawsuits; notice of government requests can be delayed until it is too late to object.

And inconsistent standards apply to government access to information about one's activities depending on the type of technology used. For example, watching the same movie via satellite, cable TV, Internet cable modem and video rental is subject to four different privacy standards.

In addition, there are many ambiguities, some of which have existed since ECPA was enacted, others caused by technology's continuing evolution since 1986. For example, does the pen register statute apply to email or Web communications? If so, what are "the numbers dialed or otherwise transmitted"? To get email addresses and Web addresses (URLs), can the government serve a pen register order on the ISP or must it use an order under ECPA? What information is collected under a pen register order and from whom in the case of a person who is using the Internet for voice communications? What standard applies if the person has a cable modem? Is an Internet portal an electronic communications service under ECPA? Are search terms covered by ECPA? Does ECPA cover government access to information about one's activity at an e-commerce site? Do people have a constitutionally protected privacy interest in their calendars stored on Internet Web sites? At best, the answers are unclear.

The importance of these questions is heightened by the fact that transactional or addressing data for electronic communications like email and Web browsing can be much more revealing than telephone numbers dialed. First, email addresses are more personally revealing than phone numbers because email addresses are unique to individual users. Furthermore, if the pen register authority applies to URLs or the names of files transmitted under a file transfer protocol, then the addressing information can actually convey the substance or purport of a communication.

Outlining the Necessary Privacy Enhancements

To update the privacy laws, Congress could start with the following issues:

Increase the standard for pen registers. Under current law, a court order is required but the judge is a mere rubber stamp ­ the statute presently says that the judge "shall" approve any application signed by a prosecutor saying that the information sought is relevant to an investigation. Instead, the government should be required to justify its request and the order should issue only if the judge affirmatively finds that the government has shown that the information sought is relevant and material.

Define and limit what personal information is disclosed to the government under a pen register or trap and trace order served on Internet service providers.

Add electronic communications to the Title III exclusionary rule in 18 USC §2515 and add a similar rule to the section 2703 authority. This would prohibit the government from using improperly obtained information about electronic communications.

Require notice and an opportunity to object when civil subpoenas seek personal information about Internet usage.

Improve the notice requirement under ECPA to ensure that consumers receive notice whenever the government obtains information about their Internet transactions.

Require statistical reports for §2703 disclosures, similar to the reports required under Title III.

Make it clear that Internet queries are content, which cannot be disclosed without consent or a probable cause order.

Provide enhanced protection for information on networks: probable cause for seizure without prior notice, opportunity to object for subpoena access.

Conclusion

We do not need a new Fourth Amendment for cyberspace. The one we have is good enough. But we need to recognize that people are conducting more and more of their lives online. They are storing increasing amounts of sensitive data on networks. They are using technology that can paint a full profile of their personal lives. The pricetag for this technology should not include a loss of privacy. It should not be the end of the privacy debate to say that technological change takes information outside the protection of the Fourth Amendment as interpreted by the courts 25 years ago. Nor is it adequate to say that individuals are voluntarily surrendering their privacy by using new computer and communications technologies. What we need is to translate the Fourth Amendment's vision of limited government power and personal privacy to the global, decentralized, networked environment of the Internet.

House Rule XI, clause 2(g)(4) disclosure: Neither James X. Dempsey nor CDT has received any federal grant, contract, or subcontract in the current or preceding two fiscal years.